# sample connections
# This file is RCSID $Id: examples,v 1.5 1999/12/13 02:38:16 henry Exp $
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work.
interfaces="ipsec0=eth1 ipsec1=ppp0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Manual connections to be started at startup.
manualstart="test1 test2"
# Auto connections to be loaded into Pluto at startup.
plutoload="samplehth samplefire"
# Auto connections to be started at startup.
plutostart=samplefire
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# Parameters for manual-keying testing (DON'T USE OPERATIONALLY).
spi=0x200
esp=3des-md5-96
espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0
espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf
# key lifetime (before automatic rekeying)
keylife=8h
# sample connection
conn sample
# Left security gateway and subnet behind it.
left=10.0.0.1
leftsubnet=172.16.0.0/24
# Right security gateway and subnet behind it.
right=10.12.12.1
rightsubnet=192.168.0.0/24
# Authorize this connection, but don't actually start it, at startup.
auto=add
# sample tunnel (manually or automatically keyed)
# Here we just use ESP for both encryption and authentication, which is
# the simplest and often the best method.
conn sample
# left security gateway (public-network address)
left=10.0.0.1
# next hop to reach right
leftnexthop=10.44.55.66
# subnet behind left (omit if left end of the tunnel is just the s.g.)
leftsubnet=172.16.0.0/24
# right s.g., subnet behind it, and next hop to reach left
right=10.12.12.1
rightnexthop=10.88.77.66
rightsubnet=192.168.0.0/24
# (manual) SPI number
spi=0x200
# (manual) encryption/authentication algorithm and parameters to it
esp=3des-md5-96
espenckey=[192 bits]
espauthkey=[128 bits]
# In the remaining examples, deviations from the sample-tunnel configuration
# are marked with ###.
# sample host-to-host tunnel (no subnets)
# Here we assume (for purposes of illustration) that the hosts talk directly
# to each other, so we don't need next-hop settings.
conn samplehth
### left host (public-network address)
left=10.0.0.1
### next hop to reach right
leftnexthop=
### right host
right=10.12.12.1
### next hop to reach left
rightnexthop=
### (manual) SPI number
spi=0x300
# (manual) encryption/authentication algorithm and parameters to it
esp=3des-md5-96
espenckey=[192 bits]
espauthkey=[128 bits]
# sample hybrid tunnel, with a host on one end and a subnet (behind a
# security gateway) on the other
# This case is also sometimes called "road warrior".
conn samplehyb
### left host (public-network address)
left=10.0.0.1
# next hop to reach right
leftnexthop=10.44.55.66
# subnet behind left
leftsubnet=172.16.0.0/24
### right host, and next hop to reach left
right=10.12.12.1
rightnexthop=10.88.77.66
### (manual) SPI number
spi=0x400
# (manual) encryption/authentication algorithm and parameters to it
esp=3des-md5-96
espenckey=[192 bits]
espauthkey=[128 bits]
# sample firewall-penetrating tunnel
# Here we assume that firewalling is being done on the left side.
conn samplefire
# left security gateway (public-network address)
left=10.0.0.1
# next hop to reach right
leftnexthop=10.44.55.66
# subnet behind left (omit if left end of the tunnel is just the s.g.)
leftsubnet=172.16.0.0/24
### left is firewalling for its subnet
leftfirewall=yes
# right s.g., subnet behind it, and next hop to reach left
right=10.12.12.1
rightnexthop=10.88.77.66
rightsubnet=192.168.0.0/24
### (manual) SPI number
spi=0x500
# (manual) encryption/authentication algorithm and parameters to it
esp=3des-md5-96
espenckey=[192 bits]
espauthkey=[128 bits]
# sample transport-mode connection (which can only be host-to-host)
# Here we use the whole nine yards, with encryption done by ESP and
# authentication by AH; this perhaps is slightly preferable for transport
# mode, where the IP headers are exposed.
conn sampletm
### transport mode rather than tunnel
type=transport
### left host (public-network address)
left=10.0.0.1
# next hop to reach right
leftnexthop=10.44.55.66
### right host, and next hop to reach left
right=10.12.12.1
rightnexthop=10.88.77.66
### (manual) SPI number
spi=0x600
### (manual) encryption algorithm and parameters to it
esp=3des
espenckey=[192 bits]
### (manual) authentication algorithm and parameters to it
ah=hmac-md5
ahkey=[128 bits]
### (auto) authentication control
auth=ah
# sample description with keys split out into a separate section
# Normally the key section would go in a separate file, with tighter
# permissions set on it.
conn samplesep
# left security gateway (public-network address)
left=10.0.0.1
# next hop to reach right
leftnexthop=10.44.55.66
# subnet behind left (omit if left end of the tunnel is just the s.g.)
leftsubnet=172.16.0.0/24
# right s.g., subnet behind it, and next hop to reach left
right=10.12.12.1
rightnexthop=10.88.77.66
rightsubnet=192.168.0.0/24
### (manual) SPI number
spi=0x700
# (manual) encryption/authentication algorithm and parameters to it
esp=3des-md5-96
also=samplesep-keys
# keys for the previous section
# Normally this would go in a separate file, picked up using an include line,
# to allow keeping the keys confidential.
conn samplesep-keys
espenckey=[192 bits]
espauthkey=[128 bits]